Solved

Hacked - need info

Posted on 2002-05-13
6
167 Views
Last Modified: 2010-04-13
below is a snippet of my logs.  i believe somebody is trying to hack into my server.  i'm not sure if it succeeded or not.

my server is deny them access to the files requested by reporting error 404.  what is error 500?

what about the default.ida?  what is an ida file?

thanks.

~~~~~~

#Software: Microsoft Internet Information Services 5.0
#Version: 1.0
#Date: 2002-05-09 06:11:49
#Fields: time c-ip cs-method cs-uri-stem sc-status
06:13:41 202.98.62.200 GET /scripts/root.exe 404
06:13:42 202.98.62.200 GET /MSADC/root.exe 404
06:13:44 202.98.62.200 GET /c/winnt/system32/cmd.exe 404
06:13:44 202.98.62.200 GET /d/winnt/system32/cmd.exe 404
06:13:46 202.98.62.200 GET /scripts/..%5c../winnt/system32/cmd.exe 404
06:13:46 202.98.62.200 GET /_vti_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
06:13:47 202.98.62.200 GET /_mem_bin/..%5c../..%5c../..%5c../winnt/system32/cmd.exe 404
06:13:47 202.98.62.200 GET /msadc/..%5c../..%5c../..%5c/..Á../..Á../..Á../winnt/system32/cmd.exe 500
06:13:48 202.98.62.200 GET /scripts/..Á../winnt/system32/cmd.exe 404
06:13:48 202.98.62.200 GET /scripts/winnt/system32/cmd.exe 404
06:13:49 202.98.62.200 GET /winnt/system32/cmd.exe 404
06:13:49 202.98.62.200 GET /winnt/system32/cmd.exe 404
06:13:51 202.98.62.200 GET /scripts/..%5c../winnt/system32/cmd.exe 404
06:13:51 202.98.62.200 GET /scripts/..%5c../winnt/system32/cmd.exe 404
06:13:52 202.98.62.200 GET /scripts/..%5c../winnt/system32/cmd.exe 404
06:13:52 202.98.62.200 GET /scripts/..%2f../winnt/system32/cmd.exe 404
08:23:22 202.111.154.51 GET /default.ida 200
0
Comment
Question by:jchew
  • 3
  • 2
6 Comments
 

Author Comment

by:jchew
ID: 7005994
btw, just fyi, i'm using Windows 2000 professional with IIS. i constantly check for updates at the ms update site and have applied all the latest SPs
0
 
LVL 32

Accepted Solution

by:
jhance earned 50 total points
ID: 7006037
This is the NIMDA probing your system.  But you're mostly OK.  If the response is 4XX or 500, it's a FAILURE and nothing happened.

But you have the default.ida in place:

>>>08:23:22 202.111.154.51 GET /default.ida 200

FIX THIS NOW.  You don't need this file anyway, just DELETE it.

Be sure you are up to date on all Microsoft HotFixes for your version of Windows.
0
 
LVL 11

Expert Comment

by:geoffryn
ID: 7006498
I agree with jhance.  The fact that your server returned 200 for default.ida is a BAD thing.  This just looks like a probe, if the log entry had looked like this:

08:23:22 202.111.154.51 GET /default.ida?XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX 200


Then you might have a serious problem.
0
Enterprise Mobility and BYOD For Dummies

Like “For Dummies” books, you can read this in whatever order you choose and learn about mobility and BYOD; and how to put a competitive mobile infrastructure in place. Developed for SMBs and large enterprises alike, you will find helpful use cases, planning, and implementation.

 

Author Comment

by:jchew
ID: 7007520
i tried the following

http://my.server/default.ida

and got the following reply

The IDQ file default.ida could not be found.

does this mean i'm safe?  i have updated my win2k with all the ms critical updates.

btw, can you please tell me what is an ida file?

thanks.
0
 
LVL 32

Expert Comment

by:jhance
ID: 7007566
It's a sample file that is included with IIS.  It is NOT needed for normal IIS web site operations and it is a known security risk.  Delete the file and be safe.
0
 

Author Comment

by:jchew
ID: 7007602
thanks for the info...
0

Featured Post

Backup Your Microsoft Windows Server®

Backup all your Microsoft Windows Server – on-premises, in remote locations, in private and hybrid clouds. Your entire Windows Server will be backed up in one easy step with patented, block-level disk imaging. We achieve RTOs (recovery time objectives) as low as 15 seconds.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Server 2003 DNS service disables and shutsdown on Domain Controllers 6 284
Norton Ghost for Windows NT 5 1,456
windows 2000 - Enable wifi 7 132
Building AD from Scratch 5 107
NTFS file system has been developed by Microsoft that is widely used by Windows NT operating system and its advanced versions. It is the mostly used over FAT file system as it provides superior features like reliability, security, storage, efficienc…
Large Outlook files lead to various unwanted errors and corruption issues. Furthermore, large outlook files can also make Outlook take longer to start-up, search, navigate, and shut-down. So, In this article, i will discuss a method to make your Out…
Migrating to Microsoft Office 365 is becoming increasingly popular for organizations both large and small. If you have made the leap to Microsoft’s cloud platform, you know that you will need to create a corporate email signature for your Office 365…
Video by: Mark
This lesson goes over how to construct ordered and unordered lists and how to create hyperlinks.

920 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now